Paper 2021/079

A Side-Channel Attack on a Masked IND-CCA Secure Saber KEM

Kalle Ngo, Elena Dubrova, Qian Guo, and Thomas Johansson

Abstract

In this paper, we present the first side-channel attack on a first-order masked implementation of IND-CCA secure Saber KEM. We show how to recover both the session key and the long-term secret key from 16 traces by deep learning-based power analysis without explicitly extracting the random mask at each execution. Since the presented method is not dependent on the mask, we can improve success probability by combining score vectors of multiple traces captured for the same ciphertext. This is an important advantage over previous attacks on LWE/LWR-based KEMs, which must rely on a single trace. Another advantage is that the presented method does not require a profiling device with deactivated countermeasure, or known secret key. Thus, if a device under attack is accessible, it can be used for profiling. This typically maximizes the classification accuracy of deep learning models. In addition, we discovered a leakage point in the primitive for masked logical shifting on arithmetic shares which has not been known before. We also present a new approach for secret key recovery, using maps from error-correcting codes. This approach can compensate for some errors in the recovered message.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint. MINOR revision.
Keywords
post-quantum cryptographySaber KEMside-channel attackpower analysis
Contact author(s)
dubrova @ kth se
History
2021-01-22: received
Short URL
https://ia.cr/2021/079
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2021/079,
      author = {Kalle Ngo and Elena Dubrova and Qian Guo and Thomas Johansson},
      title = {A Side-Channel Attack on a Masked {IND}-{CCA} Secure Saber {KEM}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2021/079},
      year = {2021},
      url = {https://eprint.iacr.org/2021/079}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.